Q&A: Siemens Industrial Security Exec on Cyber Priorities
Decades ago, the term “industrial security” primarily referred to safeguarding physical assets. With the rise of connected industrial control systems, the focus expanded to keep remote intruders out. In both cases, industry professionals often approached security as a mission to keep some malevolent “other” out of their premises and away from critical machinery. While the threat of external threat actors is very real, the greatest danger for industrial companies may be insiders. A 2017 Poneman Institute survey of 377 security professionals in oil and gas facilities reported that the top threat to critical operations is negligent employees (earning 65 percent of responses) followed by malicious or criminal insiders (15 percent). Many security experts also believe employees are generally a greater threat than external hackers in various industries.
In a recent interview, Leo Simonovich, vice president and global head, industrial cyber and digital security at Siemens touches on both internal and external cybersecurity risks, and also touches on the importance of aligning cybersecurity with quality and safety initiatives and the role AI and machine learning can play in protecting against bad actors.
Some industrial organizations have resisted embracing Internet of Things technology out of security fears. Do you see this behavior changing in the near future?
Simonovich: The benefits of digitalization are too great to ignore. Many organizations realize this, and yet, they are inhibited by the fear that once they get connected, their risk is going to increase exponentially. But I think you have to look at the sources of risk. Many organizations think if they are airgapped, then there are safe. The fact is that connectivity gives you the insight into what is happening in your environment and also gives you the opportunity to react.
[Internet of Things World addresses the security concerns for IoT implementation in every vertical, attracting senior security professionals from the world’s biggest organizations. Get your tickets and free expo passes now.]
What is your advice for aligning cybersecurity with other industrial priorities?
Simonovich: We have to separate the progression on the cyber journey from the mechanisms by which you protect yourself.
As you have more information pushed out to the edge, it is important to prioritize your assets based on two perspectives: risk and business priority. You have the highest level of protection going to your most critical assets and lowest level going to your less critical ones.
At the same time, cybersecurity is a journey, and the probability of being attacked is 100 percent. What is important is to take incremental steps to improve one’s readiness to face those attacks. I think of this as resiliency.
What are the core steps organizations should take concerning industrial security?
Simonovich: The steps for us are as follows:
- Develop a strategy.
- Address the fundamentals, which include patching, whitelisting, configuration management, incident response and monitoring.
- Develop a clear plan for deploying resources in case of an attack.
Organizations should have a cyber asset management program that looks at the discovery of assets, maintenance and disposal.
How do you see most industrial companies approaching asset management?
Simonovich: What is important is to be able to look at the cyber asset management from those two perspectives: first as an asset — a physical device — and second, as being a piece of data traveling across your operating environment.